Skip to main content

Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl

bloatedstoat
Hello, Could someone advise what this message means, it appears in /usr/local/cpanel/logs/error_log and there are a whole raft of them. This is appearing on multiple servers. Is it benign? Thank you!
[2017-02-14 12:09:31 +1100] warn [cpaneld] (XID tu6qs9) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849 cpanel::cpsrvd::script() called at cpsrvd.pl line 319

Comments

6 comments

Date Votes
  • dvk01uk
    I am also getting this it started on my server on 12 February 22.15 UTC and is intermittent in my logs
    2017-02-14 11:05:15 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849 cpanel::cpsrvd::script() called at cpsrvd.pl line 319 [2017-02-14 11:05:27 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849 cpanel::cpsrvd::script() called at cpsrvd.pl line 319 [2017-02-14 11:05:32 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849 cpanel::cpsrvd::script() called at cpsrvd.pl line 319 [2017-02-14 11:05:38 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849 cpanel::cpsrvd::script() called at cpsrvd.pl line 319 [2017-02-14 11:05:45 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849 cpanel::cpsrvd::script() called at cpsrvd.pl line 319 [2017-02-14 11:05:50 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849 cpanel::cpsrvd::script() called at cpsrvd.pl line 319 [2017-02-14 11:05:56 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849 cpanel::cpsrvd::script() called at cpsrvd.pl line 319 [2017-02-14 11:05:58 +0000] warn [whostmgrd] (XID ny3npv) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1373 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1001 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 849 cpanel::cpsrvd::script() called at cpsrvd.pl line 319
    it does seem to coincide with what looks like an attack against the server
    - - - [02/14/2017:11:04:54 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:04:56 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:04:56 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:04:58 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:04:59 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:05:01 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:05:01 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:05:03 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:05:04 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:05:04 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:05:05 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:05:05 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:05:07 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [02/14/2017:11:05:07 -0000] "-" 301 0 "-" "-" "-" "-" 2082 104.237.132.64 - - [02/14/2017:11:05:10 -0000] "\#ST" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:12 -0000] "00000001-00000001<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:14 -0000] "nbe" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:15 -0000] "" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:18 -0000] "GET / HTTP/1.0" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:19 -0000] "OPTIONS / HTTP/1.0" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:20 -0000] "OPTIONS / RTSP/1.0" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:21 -0000] "?(r????|" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:23 -0000] "versionbind" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:25 -0000] "" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:27 -0000] "HELP" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:29 -0000] "SO?G??,?`~?{?????<=??(" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:31 -0000] "ieU??ndom1random2random3random4/" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:33 -0000] "qj?n0?k??" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:35 -0000] "??SMBr@@?PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:37 -0000] "l" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:39 -0000] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:39 -0000] "default" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:41 -0000] "0?-c?$" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:43 -0000] "0`?" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:45 -0000] "OPTIONS sip:nm SIP/2.0" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:46 -0000] "TNMPTNME" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:48 -0000] "?" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:50 -0000] "DmdT??" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:52 -0000] ":/@=/@" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:54 -0000] "?MMS?NSPlayer/9...98; {AA-A-a-AAA-AAAAA}?_" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:56 -0000] "Z6,? :?(CONNECT_DATA=(COMMAND=version))" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:05:58 -0000] "" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:06:00 -0000] "GIOP$abcdefget" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:06:02 -0000] "MQTTbe" 401 0 "-" "-" "-" "-" 2087 104.237.132.64 - - [02/14/2017:11:06:04 -0000] "?+
    0
  • dvk01uk
    I have attached error log & access log that shows all the examples. looks like a new attack and I don't know how they are doing it - Mod Note: Removed No Need For a Zip File Here - Please see: Guide To Opening An Effective Forums Thread
    0
  • cPanelMichael
    Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 2761.

    Hello, This is a warning message that appears in the cPanel error log when someone tries to utilize an invalid URI to access cPanel. You can reproduce that message by accessing a URL such as:
    hxxps://1.2.3.4:2087/cpsess1234567/logout/%0A%22
    You may want to review /usr/local/cpanel/logs/access_log when this happens to verify which IP is making the request to determine if it should be blocked in your firewall. Thank you.
    0
  • dvk01uk
    seems strange that in nearly 10 years of running Cpanel servers, I have never seen this in error logs ( or access logs) until 2 days ago. I suppose that I could have been lucky and never had a previous attack, but suddenly to get them over the last 2 days, every few hours, from different IP numbers ( all Linode) just seems to much of a coincidence Also only 1 hit in google for the term "Documents are not permitted to contain null characters, or new lines" I really would have thought that if it was a common attack, Google would have something about it
    0
  • cPanelMichael
    seems strange that in nearly 10 years of running Cpanel servers, I have never seen this in error logs ( or access logs) until 2 days ago.

    There was a recent change with the URI handling with cpsrvd included with cPanel version 60: Fixed case CPANEL-7803: Reorganize and rework cpsrvd URI parsing. Thank you.
    0
  • migandroid
    Today i have this error to, i have to take any countermeasures to protect against this? /usr/local/cpanel/logs/error_log
    Use of uninitialized value in index at /usr/local/cpanel/Cpanel/Server/Response.pm line 135. [2020-03-27 10:13:57 +0000] warn [whostmgrd] (XID gw6h7g) Documents are not permitted to contain null characters, or new lines. at cpsrvd.pl line 3209. cpanel::cpsrvd::parse_request_headers() called at cpsrvd.pl line 1745 cpanel::cpsrvd::receive_and_process_incoming_http_request() called at cpsrvd.pl line 1279 cpanel::cpsrvd::handle_one_connection(6) called at cpsrvd.pl line 1109 cpanel::cpsrvd::script() called at cpsrvd.pl line 429 Use of uninitialized value $document in index at /usr/local/cpanel/Cpanel/Server/Response.pm line 276.
    /usr/local/cpanel/logs/access_log
    - - - [03/27/2020:10:13:00 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [03/27/2020:10:13:01 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [03/27/2020:10:13:03 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [03/27/2020:10:13:04 -0000] "-" 301 0 "-" "-" "-" "-" 2082 - - - [03/27/2020:10:13:06 -0000] "-" 301 0 "-" "-" "-" "-" 2082 XX.XXX.XX.XXX - - [03/27/2020:10:13:09 -0000] "#ST" 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:12 -0000] " n beio" 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:14 -0000] " " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:16 -0000] "GET / HTTP/1.0" 200 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:18 -0000] "OPTIONS / HTTP/1.0" 200 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:19 -0000] "OPTIONS / RTSP/1.0" 200 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:20 -0000] " (r" | " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:22 -0000] " versionbind " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:24 -0000] " " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:26 -0000] "HELP" 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:28 -0000] " S O ?G?",?`~{"???<=?? ( " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:30 -0000] " *%? Cookie: mstshash=beio" 200 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:32 -0000] " i eU"?ndom1random2random3random4 / " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:34 -0000] " qjn0k" 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:36 -0000] " ""SMBr @ @ PC NETWORK PROGRAM 1.0 MICROSOFT NETWORKS 1.03 MICROSOFT NETWORKS 3.0 LANMAN1.0 LM1.2X002 Samba NT LANMAN 1.0 NT LM 0.12 " 200 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:37 -0000] "l " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:39 -0000] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 200 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:41 -0000] "default" 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:42 -0000] "0 -c $ " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:44 -0000] "0` " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:46 -0000] "OPTIONS sip:nm SIP/2.0" 200 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:47 -0000] "TNMP TNME " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:49 -0000] " ? " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:50 -0000] "DmdT " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:52 -0000] ": / @ = / @ " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:54 -0000] "JRMI K" 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:56 -0000] " "?" MMS N S P l a y e r / 9 . . . 9 8 ; { A A - A - a - A A A - A A A A A } ?_" 401 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:57 -0000] " Z 6, " : ? (CONNECT_DATA=(COMMAND=version))" 401 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:13:59 -0000] " 4 ( " U MSSQLServer H " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:14:01 -0000] " " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:14:03 -0000] "GIOP $ abcdef get " 400 0 "-" "-" "-" "-" 2087 XX.XXX.XX.XXX - - [03/27/2020:10:14:04 -0000] " +
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post